Jackpot! Cyberattacks on ATMs on the rise

A recent report from security firm Trend Micro and the European Cybercrime Center (EC3) highlights the risks posed to ATMs from cyberattacks.

For many years ATMs were unattractive targets for cyberattackers because ATMs often used proprietary software developed by each ATM manufacturer. ATMs were also difficult to hack because many were not easily accessible online, so an attack would require someone to physically access the computer in the ATM to load malware.

Two changes have made ATMs much more attractive targets. The first change was standardization of ATM operating systems. A majority of the 3 million ATMs in operation worldwide still run a version of Windows XP or Windows XP Embedded. Some ATMs run on even older Windows operating systems. Standardized operating systems mean that malware developed to exploit a security flaw can take advantage of many more ATMs.

The problem for banks is that many of these operating systems are now outdated. Microsoft discontinued support for Windows XP on April 8, 2014, and for Windows XP Embedded on January 12, 2016. This blog has previously explained the importance of regularly updating software. Microsoft’s decision to discontinue support for ATM operating systems means that those systems will no longer receive updates in response to security holes that cyberattackers identify. Any security flaw that existed in an ATM operating system as of the date that service was discontinued will exist as long as that ATM still relies on that operating system.

The second change that made ATMs more attractive to cyberattackers was the rise of third-party services that give banks the ability to manage ATMs remotely. This so-called “middleware” gives cyberattackers a new vector that they can exploit to access ATMs remotely.

Consequently, according to Trend Micro and EC3, attacks on ATMs increased 15% from 2014 to 2015 in Europe. Statistics were not available for the United States, but there is no reason to think that there are fewer instances of fraud in the United States than in Europe.

Cyberattackers are currently experimenting with a variety of malware that can compromise ATMs. The most common attacks will either cause an ATM to “jackpot”—dispense all of the currency from its safe—or turn the ATM into a card skimmer that records and transmits to cyberattackers card and pin numbers.

As with any new cyberthreat, there is not one solution that will protect ATMs. However, there are several industry recommendations supported by Trend Micro and EC3:

1. The ATM has two distinct compartments: the PC and the safe. Each section should be accessible by different maintenance employees and should require different customized sets of lock keys.
2. Each set of keys should not be easily accessed by anyone and, ideally, they should be specific for each ATM. Ideally, the PC compartment should be made as secure as the safe box.
3. Implement BIOS passwords which should be changed after every time it’s accessed by maintenance staff.
4. The hard drive of the ATM PC needs to be encrypted and checked for integrity to detect changes.
5. The initial hardware communication between the PC and the cash dispenser needs to be authorized and encrypted. This is to prevent rogue hardware devices communicating with the cash dispenser.
6. All firmware running on any hardware devices on the ATM PC should not be susceptible to a version downgrade or rollback. Firmware upgrades should require special authorization via encryption keys or other secure means.
7. There has to be a clear policy on how and when the software in use is to be updated or upgraded. Make sure the update process never shows vital information on-screen, like usernames, IPs, file system paths, passwords, etc.

ATM attacks are likely to increase in the coming years, particularly if there is no concerted effort to update ATM operating systems. Banks should be mindful of the risks and take appropriate steps to mitigate those risks.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.